Fossil SCM
The container doc bit on raw sockets now covers the other three Busybox utilities we left out previously. Today's removal of ping and traceroute merely completes the set; it wasn't complete in itself.
Commit
b429bd71db31318ea6597e04a4a962f47dcebaa6e70d6b84780f4a3636223a5f
Parent
c2eaa60da9bde44…
1 file changed
+10
-8
+10
-8
| --- www/build.wiki | ||
| +++ www/build.wiki | ||
| @@ -498,18 +498,20 @@ | ||
| 498 | 498 | front-end proxy]. You're more likely to say something like "<tt>-p |
| 499 | 499 | localhost:12345:8080</tt>", then configure the reverse proxy to |
| 500 | 500 | translate external HTTPS calls into HTTP directed at this internal |
| 501 | 501 | port 12345.)<p> |
| 502 | 502 | * <b><tt>NET_RAW</tt></b>: Fossil itself doesn't use raw sockets, and |
| 503 | - our build process leaves out <tt>ping</tt> and <tt>traceroute</tt>, | |
| 504 | - the only Busybox utilities that require that ability. If you need | |
| 505 | - to ping something, you can almost certainly do it just as well out | |
| 506 | - on the host; we foresee no compelling reason to use ping or | |
| 507 | - traceroute from inside the container.<p> If we did not take this | |
| 508 | - hard-line stance, an attacker that broke into the container and | |
| 509 | - gained root privileges could use raw sockets to do a wide array of | |
| 510 | - bad things to any network the container is bound to.<p> | |
| 503 | + our build process leaves out all the Busybox utilities that require | |
| 504 | + them. Although that set includes common tools like <tt>ping</tt>, | |
| 505 | + we foresee no compelling reason to use that or any of these other | |
| 506 | + elided utilities — <tt>ether-wake</tt>, <tt>netstat</tt>, | |
| 507 | + <tt>traceroute</tt>, and <tt>udhcp</tt> — inside the container. If | |
| 508 | + you need to ping something, do it on the host.<p> | |
| 509 | + If we did not take this hard-line stance, an attacker that broke | |
| 510 | + into the container and gained root privileges might use raw sockets | |
| 511 | + to do a wide array of bad things to any network the container is | |
| 512 | + bound to.<p> | |
| 511 | 513 | * <b><tt>SETFCAP, SETPCAP</tt></b>: There isn't much call for file |
| 512 | 514 | permission granularity beyond the classic Unix ones inside the |
| 513 | 515 | container, so we drop root's ability to change them. |
| 514 | 516 | |
| 515 | 517 | All together, we recommend adding the following options to your |
| 516 | 518 |
| --- www/build.wiki | |
| +++ www/build.wiki | |
| @@ -498,18 +498,20 @@ | |
| 498 | front-end proxy]. You're more likely to say something like "<tt>-p |
| 499 | localhost:12345:8080</tt>", then configure the reverse proxy to |
| 500 | translate external HTTPS calls into HTTP directed at this internal |
| 501 | port 12345.)<p> |
| 502 | * <b><tt>NET_RAW</tt></b>: Fossil itself doesn't use raw sockets, and |
| 503 | our build process leaves out <tt>ping</tt> and <tt>traceroute</tt>, |
| 504 | the only Busybox utilities that require that ability. If you need |
| 505 | to ping something, you can almost certainly do it just as well out |
| 506 | on the host; we foresee no compelling reason to use ping or |
| 507 | traceroute from inside the container.<p> If we did not take this |
| 508 | hard-line stance, an attacker that broke into the container and |
| 509 | gained root privileges could use raw sockets to do a wide array of |
| 510 | bad things to any network the container is bound to.<p> |
| 511 | * <b><tt>SETFCAP, SETPCAP</tt></b>: There isn't much call for file |
| 512 | permission granularity beyond the classic Unix ones inside the |
| 513 | container, so we drop root's ability to change them. |
| 514 | |
| 515 | All together, we recommend adding the following options to your |
| 516 |
| --- www/build.wiki | |
| +++ www/build.wiki | |
| @@ -498,18 +498,20 @@ | |
| 498 | front-end proxy]. You're more likely to say something like "<tt>-p |
| 499 | localhost:12345:8080</tt>", then configure the reverse proxy to |
| 500 | translate external HTTPS calls into HTTP directed at this internal |
| 501 | port 12345.)<p> |
| 502 | * <b><tt>NET_RAW</tt></b>: Fossil itself doesn't use raw sockets, and |
| 503 | our build process leaves out all the Busybox utilities that require |
| 504 | them. Although that set includes common tools like <tt>ping</tt>, |
| 505 | we foresee no compelling reason to use that or any of these other |
| 506 | elided utilities — <tt>ether-wake</tt>, <tt>netstat</tt>, |
| 507 | <tt>traceroute</tt>, and <tt>udhcp</tt> — inside the container. If |
| 508 | you need to ping something, do it on the host.<p> |
| 509 | If we did not take this hard-line stance, an attacker that broke |
| 510 | into the container and gained root privileges might use raw sockets |
| 511 | to do a wide array of bad things to any network the container is |
| 512 | bound to.<p> |
| 513 | * <b><tt>SETFCAP, SETPCAP</tt></b>: There isn't much call for file |
| 514 | permission granularity beyond the classic Unix ones inside the |
| 515 | container, so we drop root's ability to change them. |
| 516 | |
| 517 | All together, we recommend adding the following options to your |
| 518 |